Why a BAA is critical for dental practices

What's a BAA, and why is it so important for your dental practice? Dr. Lorne Lavine explores why this document could be crucial to HIPAA compliance.

As most dentists are aware, the data we collect on patients is often not limited to our eyes only. There are many professionals that we work with on a daily basis that have access to patient information.

Some of these people include:

  • Your accountant

  • IT company

  • Offsite data backup provider

  • Email provider

All of these people are called business associates. According to HHS, A “business associate” is any person or entity that performs activities or specific functions for the dental practice which would involve the use or disclosure of patient information.” It is important to understand that anyone involved with the continuum of care, or those expected to have only inadvertent access to data, are not included in this list. So, for example, referring offices, labs and office cleaning crew are not business associates, nor is any company that acts as a conduit for information such as the US Postal Service or UPS.

More from Dr. Lavine: To encrypt or not to encrypt... it's not really a question!

So, why is all this important? Well, dental practices are required to have a written agreement in place with each one of their business associates. The Privacy Rule requires dental practices to have written assurance that its business associates will safeguard all patient information it receives or creates for the practice. The new rule also allows the government to impose penalties on the business associates and their subcontractors. That was not the case previously.

The final version of the HIPAA Rules require that covered entities (that would be you) enter into contracts with their business associates (that would be us) to ensure that the business associates will appropriately safeguard protected health information.  This Business Associate Agreement also serves to specify the permissible uses and disclosures of protected health information by the business associate, based on the relationship between the parties and the activities or services being performed by the business associate.  A business associate may use or disclose protected health information only as permitted or required by its business associate contract, or as required by law.

A business associate is directly liable under the HIPAA Rules and subject to civil and, in some cases, criminal penalties for making uses and disclosures of protected health information that are not authorized by its contract or required by law. A business associate also is directly liable and subject to civil penalties for failing to safeguard electronic protected health information in accordance with the HIPAA Security Rule. 

More from Dr. Lavine: Risky business: HIPAA compliance and the importance of risk analysis assessments

So, what do you need to do? Easy, find a Business Associates Agreement template that was written after the Omnibus Rules went into effect in 2013 (you can email me at drlavine@thedigitaldentist.com and I will gladly send you one). Send it to all your business associates, and keep a copy of the signed agreement with both signatures on it.

By the way, if a company won’t sign the agreement, then you should re-evaluate your relationship with them. For example, if you’re using regular Gmail for sending patient info, Google will not sign the agreement, and since regular Gmail isn’t HIPAA compliant anyway, that’s a good time to look into a more compliant solution for email. The same holds true for all other potential business associates you have.